INI Injection Vulnerability in Sandboxie-Plus by Sandboxie-Plus
CVE-2026-34458

9.3CRITICAL

Key Information:

Vendor: Sandboxie-plus
Status: Sandboxie
Vendor: CVE Published:; 5 May 2026

🔔 Create Sandboxie-plus Vulnerability Alert

What is CVE-2026-34458?

Sandboxie-Plus is vulnerable to an INI injection flaw that affects versions up to 1.17.2. This vulnerability permits a local user to circumvent configuration settings, such as EditAdminOnly and ConfigPassword. Consequently, arbitrary directives can be injected into the global Sandboxie.ini configuration file. The background service fails to enforce authorization checks for inter-process communication messages directed at sections prefixed with UserSettings_. Additionally, it does not adequately sanitize CRLF characters in both the value and setting name parameters. This allows an attacker to introduce a new sandbox section with unrestricted permissions, which could lead to sandbox escape and SYSTEM privilege escalation. This issue has been resolved in version 1.17.3. For further details, please refer to the security advisory and the release notes.

Affected Version(s)

Sandboxie < 1.17.3

References

https://github.com/sandboxie-plus/Sandboxie/security/advi...

x_refsource_CONFIRM

https://github.com/sandboxie-plus/Sandboxie/releases/tag/...

x_refsource_MISC

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 5, 2026
Vulnerability Reserved
Mar 27, 2026

CVE-2026-34458 Data

JSON